Searchable symmetric encryption (SSE) allows a party to outsource the storage of its data to another party (a server) in a private manner, while maintaining the ability to selectively search over it. This problem has been the focus of active research in recent years. In this paper we show two solutions to SSE that simultaneously enjoy the following properties: Both solutions are more efficient than all previous constant-round schemes. In particular, the work performed by the server per returned document is constant as opposed to linear in the size of the data. Both solutions enjoy stronger security guarantees than previous constant-round schemes. In fact, we point out subtle but serious problems with previous notions of security for SSE, and show how to design constructions which avoid these pitfalls. Further, our second solution also achieves what we call adaptive SSE security, where queries to the server can be chosen adaptively (by the adversary) during the execution of the search; this notion is both important in practice and has not been previously considered.Surprisingly, despite being more secure and more efficient, our SSE schemes are remarkably simple. We consider the simplicity of both solutions as an important step towards the deployment of SSE technologies.As an additional contribution, we also consider multi-user SSE. All prior work on SSE studied the setting where only the owner of the data is capable of submitting search queries. We consider the natural extension where an arbitrary group of parties other than the owner can submit search queries. We formally define SSE in the multi-user setting, and present an efficient construction that achieves better performance than simply using access control mechanisms.

/pdf/searchable-symmetric-encryption-improved-definitions-and-19ss3wg07l.pdf

Searchable symmetric encryption: improved definitions and efficient constructions

We consider the problem of building a secure cloud storage service on top of a public cloud infrastructure where the service provider is not completely trusted by the customer We describe, at a high level, several architectures that combine recent and non-standard cryptographic primitives in order to achieve our goal We survey the benefits such an architecture would provide to both customers and service providers and give an overview of recent advances in cryptography motivated specifically by cloud storage

/pdf/cryptographic-cloud-storage-3uxa4mufav.pdf

Cryptographic cloud storage

We construct public-key systems that support comparison queries (x ≥ a) on encrypted data as well as more general queries such as subset queries (x∈ S). Furthermore, these systems support arbitrary conjunctive queries (P1 ∧ ... ∧ Pl) without leaking information on individual conjuncts. We present a general framework for constructing and analyzing public-key systems supporting queries on encrypted data.

/pdf/conjunctive-subset-and-range-queries-on-encrypted-data-1kmw5qukz6.pdf

Conjunctive, subset, and range queries on encrypted data

Online applications are vulnerable to theft of sensitive information because adversaries can exploit software bugs to gain access to private data, and because curious or malicious administrators may capture and leak data. CryptDB is a system that provides practical and provable confidentiality in the face of these attacks for applications backed by SQL databases. It works by executing SQL queries over encrypted data using a collection of efficient SQL-aware encryption schemes. CryptDB can also chain encryption keys to user passwords, so that a data item can be decrypted only by using the password of one of the users with access to that data. As a result, a database administrator never gets access to decrypted data, and even if all servers are compromised, an adversary cannot decrypt the data of any user who is not logged in. An analysis of a trace of 126 million SQL queries from a production MySQL server shows that CryptDB can support operations over encrypted data for 99.5% of the 128,840 columns seen in the trace. Our evaluation shows that CryptDB has low overhead, reducing throughput by 14.5% for phpBB, a web forum application, and by 26% for queries from TPC-C, compared to unmodified MySQL. Chaining encryption keys to user passwords requires 11--13 unique schema annotations to secure more than 20 sensitive fields and 2--7 lines of source code changes for three multi-user web applications.

/pdf/cryptdb-protecting-confidentiality-with-encrypted-query-4gyzgz1i1f.pdf

CryptDB: protecting confidentiality with encrypted query processing

Searchable symmetric encryption SSE allows a party to outsource the storage of his data to another party in a private manner, while maintaining the ability to selectively search over it. This problem has been the focus of active research and several security definitions and constructions have been proposed. In this paper we begin by reviewing existing notions of security and propose new and stronger security definitions. We then present two constructions that we show secure under our new definitions. Interestingly, in addition to satisfying stronger security guarantees, our constructions are more efficient than all previous constructions.Further, prior work on SSE only considered the setting where only the owner of the data is capable of submitting search queries. We consider the natural extension where an arbitrary group of parties other than the owner can submit search queries. We formally define SSE in this multi-user setting, and present an efficient construction.

/pdf/searchable-symmetric-encryption-improved-definitions-and-1ghaqvyi64.pdf

Searchable symmetric encryption: Improved definitions and efficient constructions

Network accountability, forensic analysis, and failure diagnosis are becoming increasingly important for network management and security. Network provenance significantly aids network administrators in these tasks by explaining system behavior and revealing the dependencies between system states. Although resourceful, network provenance can sometimes be too rich, revealing potentially sensitive information that was involved in system execution. In this paper, we propose a cryptographic approach to preserve the confidentiality of provenance (sub)graphs while allowing users to query and access the parts of the graph for which they are authorized. Our proposed solution is a novel application of searchable symmetric encryption (SSE) and more generally structured encryption (SE). Our SE-enabled provenance system allows a node to enforce access control policies over its provenance data even after the data has been shipped to remote nodes (e.g., for optimization purposes). We present a prototype of our design and demonstrate its practicality, scalability, and efficiency for both provenance maintenance and querying.

/pdf/privacy-preserving-network-provenance-4juty4g6ay.pdf

Privacy-preserving network provenance

We introduce and study a new notion of enhanced chosen-ciphertext security ECCA for public-key encryption. Loosely speaking, in the ECCA security experiment, the decryption oracle provided to the adversary is augmented to return not only the output of the decryption algorithm on a queried ciphertext but also of a randomness-recovery algorithm associated to the scheme. Our results mainly concern the case where the randomness-recovery algorithm is efficient.

We provide constructions of ECCA-secure encryption from adaptive trapdoor functions as defined by Kiltz et al.i¾?EUROCRYPT 2010, resulting in ECCA encryption from standard number-theoretic assumptions. We then give two applications of ECCA-secure encryption: 1 We use it as a unifying concept in showing equivalence of adaptive trapdoor functions and tag-based adaptive trapdoor functions, resolving an open question of Kiltz et al. 2 We show that ECCA-secure encryption can be used to securely realize an approach to public-key encryption with non-interactive opening PKENO originally suggested by Damgard and Thorbek EUROCRYPT 2007, resulting in new and practical PKENO schemes quite different from those in prior work.

Our results demonstrate that ECCA security is of both practical and theoretical interest.

/pdf/enhanced-chosen-ciphertext-security-and-applications-1otszewn41.pdf

Enhanced Chosen-Ciphertext Security and Applications

As organizations struggle with processing vast amounts of information, outsourcing sensitive data to third parties becomes a necessity. To protect the data, various cryptographic techniques are used in outsourced database systems to ensure data privacy, while allowing efficient querying. Recent attacks on such systems demonstrate that even with strong cryptography, just communication volume or access pattern is enough for an adversary to succeed. 
In this work we present a model for differentially private outsourced database system and a concrete construction, $\mathcal{E}\text{psolute}$, that provably conceals the aforementioned leakages, while remaining efficient and scalable. In our solution, differential privacy is preserved at the record level even against an untrusted server that controls data and queries. Our system combines Oblivious RAM and differentially private sanitizers to create a generic and efficient construction. 
We go further and present a set of improvements to bring the solution to efficiency and practicality necessary for real-world adoption. We describe the way to parallelize the operations, minimize the amount of noise, and reduce the number of I/O operations, while preserving the privacy guarantees. We run an extensive set of experiments, dozens of servers processing up to 10 million records, and compile detailed result analysis proving the efficiency and scalability of our solution.

$\mathcal{E}\text{psolute}$: Efficiently Querying Databases While Providing Differential Privacy

The literature on leakage-resilient cryptography contains various leakage models that provide different levels of security. In this work, we consider the bounded leakage and the continual leakage models. In the bounded leakage model Akavia et al. --- TCC 2009, it is assumed that there is a fixed upper bound L on the number of bits the attacker may leak on the secret key in the entire lifetime of the scheme. Alternatively, in the continual leakage model Brakerski et al. --- FOCS 2010, Dodis et al. --- FOCS 2010, the lifetime of a cryptographic scheme is divided into "time periods" between which the scheme's secret key is updated. Furthermore, in its attack the adversary is allowed to obtain some bounded amount of leakage on the current secret key during each time period.

In the continual leakage model, a challenging problem has been to provide security against leakage on key updates, that is, leakage that is a function not only of the current secret key but also the randomness used to update it. We propose a new, modular approach to overcome this problem. Namely, we present a compiler that transforms any public-key encryption or signature scheme that achieves a slight strengthening of continual leakage resilience, which we call consecutive continual leakage resilience, to one that is continual leakage resilient with leakage on key updates, assuming indistinguishability obfuscation Barak et al. --- CRYPTO 2001, Garg et al. --- FOCS 2013. Under the stronger assumption of public-coin differing-inputs obfuscation Ishai eti¾?al. --- TCC 2015 the leakage rate tolerated by our compiled scheme is essentially as good as that of the starting scheme. Our compiler is obtained by making a new connection between the problems of leakage on key updates and so-called "sender-deniable" encryption Canetti et al. --- CRYPTO 1997. In particular, our compiler adapts and optimizes recent techniques of Sahai and Waters STOC 2014 that make any encryption scheme sender-deniable. We then show that prior continual leakage resilient schemes can be upgraded to security against consecutive continual leakage without introducing new assumptions.

In the bounded leakage model, we develop an entirely new approach to constructing leakage-resilient encryption from obfuscation directly, based upon the public-key encryption scheme from $${\mathsf {iO}} $$ and punctured pseudorandom functions due to Sahai and Waters STOC 2014. In particular, we achieve 1 leakage-resilient public key encryption tolerating L bits of leakage for any L from $${\mathsf {iO}} $$ and one-way functions, 2 leakage-resilient public key encryption with optimal leakage rate of $$1-o1$$ based on public-coin differing-inputs obfuscation and collision-resistant hash functions.

Leakage-Resilient Public-Key Encryption from Obfuscation

Deniable encryption, first introduced by Canetti et al. [14], allows a sender and/or receiver of encrypted communication to produce fake but authentic-looking coins and/or secret keys that "open" the communication to a different message. Here we initiate its study for the more general case of functional encryption FE, as introduced by Boneh et al. [12], wherein a receiver in possession of a key k can compute from any encryption of a message x the value Fk,i¾?x according to the scheme's functionality F. Our results are summarized as follows: We put forth and motivate the concept of deniable FE, for which we consider two models. In the first model, as previously considered by O'Neill et al. [31] in the case of identity-based encryption, a receiver gets assistance from the master authority to generate a fake secret key. In the second model, there are "normal" and "deniable" secret keys, and a receiver in possession of a deniable secret key can produce a fake but authentic-looking normal key on its own. This parallels the "multi-distributional" model of deniability previously considered for public-key encryption.

In the first model, we show that any FE scheme for the general circuit functionality as several recent candidate construction achieve can be converted into an FE scheme having receiver deniability, without introducing any additional assumptions. In addition we show an efficient receiver deniable FE for Boolean Formulae from bilinear maps. In the second multi-distributional model, we show a specific FE scheme for the general circuit functionality having receiver deniability. This result additionally assumes differing-inputs obfuscation and relies on a new technique we call delayed trapdoor circuits. To our knowledge, a scheme in the multi-distributional model was not previously known even in the simpler case of identity-based encryption.

Finally, we show that receiver deniability for FE implies some form of simulation security, further motivating study of the latter and implying optimality of our results.

/pdf/deniable-functional-encryption-1oexj64z2y.pdf

Adam O'Neill

Papers

Privacy-preserving network provenance

Enhanced Chosen-Ciphertext Security and Applications

$\mathcal{E}\text{psolute}$: Efficiently Querying Databases While Providing Differential Privacy

Leakage-Resilient Public-Key Encryption from Obfuscation

Deniable Functional Encryption